Julian Roberts shares his advice on how businesses can get prepared well ahead of next May’s changes.
July’s Cyber Governance Health Check Report 2017 revealed that only 6% of FTSE 350 companies are properly prepared for the changes to the General Data Protection Regulation (GDPR)*.
All businesses in the UK need to adhere to the EU’s updated GDPR legal framework when it comes to customer data they hold and how it’s used. The deadline date is 25 May 2018, which may seem like plenty of time to prepare.
However, it’s such a complex topic with some hefty penalties, that it’s important to understand what the changes entail and be well equipped for ahead of the deadline – and this includes training all employees.
If businesses fail to recognise the regulations and comply, they face penalties of up to 4% of a company’s global annual turnover or £17m, so it is something all organisations should take seriously, as this size of fine could end a business.
When it comes to training employees, there are a few main things business owners should know about GDPR and what to consider as part of the training and compliance process:
- Get to grips with GDPR – everyone in the company needs to know the basic principles of GDPR, as well as how it differs from the UK Data Protection Act and the EU Data Protection Directive.
- Know who GDPR applies to – GDPR applies directly and should reduce the level of national data protection variation across member states of the EU. It applies to organisations based in the EU and those outside the EU if they process the personal data of EU residents.
- Know the penalties – 4% of the global turnover or £17 million – whichever value is the greatest.
- Stress everyone’s responsibility – it’s important to trickle down the responsibility every employee, as anyone working with personal data of any kind needs to be compliant with the changes coming into effect.
- Know what’s classified as personal data – it includes anything from data on location to online identifiers.
- Ensure consent of the data – any personal data a company holds should have appropriate and explicit consent given by the owner for the desired use. The consent must be informed, specific and unambiguous.
- Understand the data processing principles – the GDPR framework outlines these principles, which includes a new accountability principle for data controllers and processers whereby they must be able to demonstrate compliance.
- Know their rights – individuals have the right to obtain information from the data controller on how and where their data is being used.
- Be prepared to provide individual data – the data controller must provide individual data upon request free of charge. If rights are infringed, individuals can take legal action against data controllers and data processors.
- Train your staff – although it might seem a lot to digest, with the right training on all of the above, it’s manageable if organisations start training all staff soon to ensure company-wide compliance.
GDPR is a complicated subject, which is why it’s vital that businesses start to get to grips with the principles and practicalities well ahead of the deadline. It may seem daunting, but with the right training, organisations can be safe in the knowledge that all staff are educated and the business is moving towards compliance.
has launched a course aimed at employees at all levels to start their preparations for GDPR. The 50-minute course is ideal for all employees to provide an understanding of GDPR from every angle so that they can apply the learning and be confident in achieving compliance.
Find out more about EssentialSkillz and its GDPR course.
About the author
Julian Roberts is CEO of EssentialSkillz, a global leader in online safety training and compliance software,